from the dysfunctional-by-design dept

A few months ago, the South Korean government strongly suggested parents load their children's cell phones up with government-approved spyware. It recommended an app called "Smart Sheriff." The app provided plenty of reassurance for parents, if said parents were willing to let the government look over their children's shoulder while they browsed the web, chatted about kid/teen things or otherwise engaged with their devices.

It also claimed to block porn, alert parents to budding sexuality and otherwise ensure no amount of phone use was left unreported. And, if South Korean parents somehow felt the government might be overstepping its bounds a bit, cell phone providers were obliged to hassle parents about underuse of the government-approved spy app.

Now, it appears that everything the mandated spyware grabs, it also leaks in one form or another. Citizen Lab (the same entity that sniffed out the connection between malware provider Hacking Team and blacklisted governments) has audited Smart Sheriff and has found its security measures to be mostly terrible. Not only does the recommended app not protect the transmission of personal data, but it doesn't even live up to the government's own standards for data and information security.

We identified twenty-six vulnerabilities and design issues that could lead to the compromise of user accounts, disclosure of information, and corruption of infrastructure. The same issues were often present in multiple parts of the application and infrastructure. For example, we identified a potential attack against user accounts via the Smart Sheriff mobile application, then determined that it could also be made against the Web-based parental administration site. These multiple flaws suggest that the application was not fully examined for security issues before being released. Both audits were done in a limited window of time and without access to the original source code.

Smart Sheriff loads up on personal data during registration, demanding the phone numbers of both children and parents, along with the child's gender and date of birth. The information keeps flowing while in use, gathering data on apps installed and used, as well as browsing history. Then it transmits all of this information (some of it in plaintext) back to its storage, which is unencrypted. (This makes a certain sort of sense, considering the transmission of data is similarly unencrypted. Why lock it down in storage if you can't be bothered to arrange for its safe travel?)

What comes through as plaintext is the user's browser history. Visited sites are matched against a blocklist. (Strangely, no sites are actually blocked, as this function raised concerns about user privacy. But it still gathers the data, sends it in plaintext and stores it in unencrypted form. So these privacy concerns are sabotaged just as soon as they're addressed.) In order to match sites against its blocklist, the software edges around HTTPS protections to match the user to the site visited.

Beyond that, the software's authentication process can be decrypted by reverse engineering or decompiling the app. There's layer upon layer of inadequate security that adds up to a total catastrophe should anyone manage to make their way through any number of easily-prised doors.

The primary mechanism for authentication across the Smart Sheriff service is a device identifier that is derived using reversible obfuscation rather than industry-standard encryption. If an attacker is able to guess, enumerate, or intercept the device identifier of a phone with Smart Sheriff installed, the attacker can impersonate the application and undertake a range of attacks.

For example, using only the device identifier, an attacker can impersonate a user and request the parents’ phone number, children’s names, and their dates of birth. Moreover, an attacker can use the Smart Sheriff API to request a parent’s administration code (itself an insecure four-character string) and use it to take control of the account.

Basically, the app is good enough for government work, as the saying goes. The government desires its public to have more control over the actions of their children. This, in turn, allows the government to have more control over the parents. The "do something" do-goodery we see in our own legislators is echoed here. In response, a "good enough" solution is mandated, even if it's not actually good enough. No one in charge of these mandates seems to care too much about the security flaws and gaping holes -- not even the company that made the app.

After our disclosure, MOIBA released an update to Smart Sheriff (v1.7.6) that includes communication over HTTPS. However this version does not properly validate the credentials received and appears to accept a self-signed certificate, which minimizes the update’s effectiveness.

As Citizen Lab points out, the software does too much and too little, simultaneously, gathering the worst aspects of both. It fails to meet government guidelines on information security while going much further with surveillance and control than the government has actually mandated. The worst part of it is that the government has mandated use of the software, which gives citizens no option but to place its children's privacy in the hands of an entity that clearly has no respect for it. On top of that, it makes parental monitoring of children's cell phone use the new normal, which only makes it easier for the government to make further related demands down the road.

from the that's-illegal dept

Down in Australia, it appears that phone giant Vodafone is facing a bit of a scandal as it's come out that the company went digging into a journalist's phone records after she wrote some stories about security flaws in a Vodafone system. Remember, a decade ago, when there was a big scandal at HP, when it spied on board members to try to stop leaks? That was bad. This is worse. This is directly violating a customers' privacy, just because you're upset about some leaks.

In a 2012 email from then ­Vodafone Hutchison Australia head of fraud Colin Yates to then Vodafone global corporate secu­rity director Richard Knowlton, Mr Yates warns of the “huge risk” to the company if a string of allegations — which he “has no reason to believe” are not factual — “gets into the public domain”.

Of particular concern to Mr Yates was the hacking of the “call charge records and text messages” from the mobile of Fairfax investigative reporter Natalie O’Brien, then a Vodafone customer.

On January 10, 2011, the day after O’Brien broke a story about major security flaws with Vodafone’s Siebel data system — ­including that private call records could be illegally accessed — ­Vodafone investigators had discussions about searching her phone records to find the Vodafone sources for the story.

You can see the story by O'Brien here, in which she revealed that people could access Vodafone customer information, because a source she was talking to had the password to the company's database. This resulted in an investigation by Australia's Privacy Commissioner into Vodafone's security practices. Meanwhile, Vodafone tried to play the whole thing down as a "one-off incident" of someone abusing the password to the system.

Meanwhile, in the background, they were abusing their own systems to try to figure out who was talking to O'Brien -- and were admitting internally that they were misrepresenting the real situation publicly:

Following her story, Vodafone executives allegedly “told the press, the NSW Privacy Commissioner and other high-profile Australian agencies that the breach was a one-off incident”.

Mr Yates wrote to Mr Knowlton: “As you know this is in fact not the case and VHA has been suffering these breaches since Siebel went live and did nothing or very little to close off the weaknesses that allowed them to occur.”

Investigating a privacy breach by breaching the privacy of the reporter who exposed it is... perhaps not the proper response.

from the not-a-good-idea dept

We've written a few times now about how the parent company of Ashley Madison, Avid Life Media, has been committing perjury and issuing completely bogus copyright demands to try to hide the information that was leaked after its servers got hacked. Last month, that tactic (despite not complying with the law) apparently worked briefly, until the full data dump happened last week. But that hasn't stopped the company from continuing to try. EFF wrote a long blog post detailing how this was a clear abuse of the law, but Avid Life Media doesn't seem to care.

After the leak came out, a few sites sprung up quickly to help people search the database. Whether or not you think it's appropriate to set up such a site (or to use it) is a separate issue, but what hopefully everyone can agree on is that such a site should not be taken down for copyright reasons. There were two main sites that got the bulk of attention for setting up such a database, and one has already shut down and the other has received a takedown demand (though not a copyright one). I won't link to either site, but here's what's now posted on one of the sites:

Meanwhile, the creator of the other main search engine has said on Twitter that he, too, has been hit with "a vexatious DMCA from lawyers acting on behalf of Avid Life Media" and reporters are similarly mistakenly calling it a DMCA, but according to the copy the guy posted to Pastebin, the letter sent by Avid Life Media's lawyers at giant law firm DLA Piper to CloudFlare is not actually a DMCA, but rather a weird "please, take this down because... vague reasons and terms of service violations." That is, there's no real legal threat (because there's no basis for one). It's just vaguely threatening hoping to scare off people:

Our firm is counsel to Avid Life Media, Inc. (“ALM”) with respect to its intellectual property and data privacy matters. As you may know, ALM is the parent company of the online dating and social networking service Ashley Madison. Because users entrust ALM with highly sensitive and intimate details (collectively the “Ashley Madison User Data”), the privacy of ALM’s users is of utmost importance. As a result, ALM proactively and arduously regulates any authorized (and unauthorized) use of Ashley Madison User Data.

This letter is to inform CloudFlare, Inc., and all related entities (collectively, “You”) that, upon information and belief, CloudFlare, Inc.’s client (“Your Client”), has posted a searchable database of the Ashley Madison User Data to a website hosted on a domain name hosted by You. Specifically, Your Client has posted the Ashley Madison User Data at the following URL: https://ashley.cynic.al/ (the “URL”). Your Client’s publication of the Ashley Madison User Data may constitute illegal disclosure of private personal information, and potentially expose millions of individuals around the world to identity theft.

Moreover, we believe that the website content hosted at the URL may violate the Your Terms of Use, located at: https://www.cloudflare.com/terms. Specifically, the website content hosted at the URL may violate the Terms of Use in that it likely infringes upon the privacy and personal data rights of the Ashley Madison users. Accordingly, ALM requests that You take action to remove and/or disable access to all content at the URL.

Please note that this letter is made without prejudice to any other rights or remedies that may be available to ALM. Nothing contained herein should be deemed a waiver, admission, or license by ALM, and ALM expressly reserves the right to assert any other factual or legal positions as additional facts come to light or as the circumstances warrant.

CloudFlare, in response, told the guy that it had forwarded the name of the actual hosting provider (a non-US company) to the lawyers at DLA Piper, and at last check, the guy claims that his hosting company, ColoCall out of Ukraine, has not done anything about it. That may change, but it's not clear what legal basis ALM has for the demand. It's nice to see that ALM is no longer making totally bullshit copyright claims, but these weird "privacy and personal data rights" claims don't have much legal basis either.

from the didn't-really-think-this-through,-did-you? dept

If you'd like to blow the whistle on government activity, there are several options available to you. First, there are the "proper channels," which come highly recommended by government officials who don't care much for whistleblowers. Then there's the media. Depending on which outlet you choose, there's probably going to be a lot of backdoor chatter with officials to "negotiate" the terms of document releases -- which could result in a more concerted effort by the government to expose the source of the documents..

There are other outlets like Wikileaks, which provide less narrative and analysis, but are generally more willing to release large sets of documents at one time, rather than trickling them out over a period of several years. Safety isn't guaranteed, but Wikileaks is far less likely to return government agencies' calls.

In an embarrassing security breach, a 21-year-old Department of Defence graduate allegedly managed to download a secret Defence Intelligence Organisation assessment, burn it to a disc, take it home and post it to anonymous image-sharing forum 4chan while praising Julian Assange as his hero.

Why this person decided 4chan was the best outlet for a top secret, Five-Eyes-only document is unclear. It seems to suggest the leaker had some familiarity with the forum and its denizens. But if so, he surely had to know his leak had about a 99% chance of being greeted with derision… at best.

Michael Scerba, the alleged document leaker, watched his original post -- which supposedly contained the first two pages of the classified document -- get the usual 4chan response. He complained about it -- at 4chan -- four days later.

A user, who prosecutors allege was Scerba, complained that no one had believed the documents were real.

"Plus to my dismay I just got a bunch of 'fake and gay' remarks and the secret documents went 404 [website not found] about 4 comments 1 hour later," he allegedly posted.

"So... any other suggestions on how to minimize getting caught by authorities?"

No suggestions were forthcoming, apparently. Scerba was caught by authorities. He's now facing charges of leaking sensitive information.

Almost as astonishing as Scerba's actions is how the leak was discovered.

Court documents describe the discovery of the leak as "fortuitous", occurring only when a former Defence Signals Directorate employee stumbled onto the post while browsing the website.

It's unclear from this sentence whether the employee was browsing the site on his own time after leaving the employ of the Directorate or whether he kept one eye on the website as part of his Defence Signals activities. If it's the latter, 4chan is being monitored by at least one government agency.

It's also unclear as to how much damage actually needs to be mitigated. The original post only stayed live for one hour. The government's statements claim "14 people had already commented on it" as if that's some sort of significant amount. It also suggests the government believes it was 14 different people (at minimum) who had seen the post, which is quite the assumption in regards to this wholly anonymous forum.

No one does "meta" quite like 4chan. Two definitely NSFW threads (here and here) discussing the news report of the attempted 4chan document leaking are available for those who have some general idea what they're getting into if they click through. Those unfamiliar with the particular charms of 4chan are probably better off gathering this information from other sources. It does appear that no archive of this leaked document exists, which is kind of why no one has ever suggested using 4chan as a leaked document repository.

And, in the end, we learn absolutely nothing new about our Five Eyes partner's secret activities, other than that some former or current employees of a certain agency browse 4chan for work/pleasure. As for 4chan, it will continue to be 4chan. Vice's Drew Millard boils down the essence of 4chan to a single sentence:

The site's users seemed generally pleased with their actions.

Feed something to 4chan and you'll get back whatever the users choose to give you. The site exists largely for its own amusement. Scerba may have thought using an anonymous board would give him additional protection, but all it really got him was insults to go with his legal injuries.

from the reasons-to-be-cheerful dept

There's been quite a lot of excitement in the press about the latest leaks that the NSA has been spying on not just one French President, but (at least) three of them. As Mike pointed out, this isn't such a big deal, because it is precisely the kind of thing that you would expect the NSA to do -- as opposed to spying on the entire US public, which isn't. There is, though, an aspect that most people have overlooked: the fact that these NSA leaks don't appear to originate from Snowden's stash.

Of course, Mr Crypto himself, Bruce Schneier, did spot it, and pointed out it could be one of his "other" US intelligence community leakers, listed a couple of months ago, or even a completely new one. As that post shows, there are now a few people around that are leaking secret documents, and that's a pretty significant trend, since you might expect enhanced security measures taken in the wake of Snowden's leaks would have discouraged or caught anyone who attempted to follow suit.

What all those collections have in common is the fact that they came from WikiLeaks. As Chiusi rightly emphasizes, after a period when WikiLeaks seemed to have lost its ability to release important material -- and thus its relevance -- the organization is beginning to hit its stride again. Coupled with the fact that there are half-a-dozen or so people who are leaking intelligence materials, that development offers hope that things are really beginning to look up on the transparency front.

from the journalism! dept

Let's start with this. Soon after Daniel Ellsberg was revealed as the source behind the Pentagon Papers, White House officials started spreading rumors that Ellsberg was actually a Soviet spy and that he'd passed on important secrets to the Russians:

None of it was true, but it was part of a concerted effort by administration officials to smear Ellsberg as a "Soviet spy" and a "traitor" when all he really did was blow the whistle on things by sharing documents with reporters.

Does that sound familiar? Over the weekend, a big story supposedly broke in the UK's the Sunday Times, citing anonymous UK officials arguing that the Russians and Chinese got access to all the Snowden documents and it had created all sorts of issues, including forcing the UK to remove undercover "agents" from Russia. That story is behind a paywall, but plenty of people have made the text available if you'd like to read the whole thing.

There are all sorts of problems with the report that make it not just difficult to take seriously, but which actually raise a lot more questions about what kind of "reporting" the Sunday Times actually does. It's also worth noting that this particular story comes out just about a week or so after Jason Leopold revealed some of the details of the secret plan to discredit Snowden that was hatched in DC. Even so, the journalism here is beyond shoddy, getting key facts flat out incorrect, allowing key sources to remain anonymous for no reason, and not appearing to raise any questions about the significant holes in the story.

Snowden has made it clear for well over a year that once he gave the documents to the original journalists, he got rid of them and no longer had them -- so he wouldn't even be able to give them to anyone else, even if they wanted them. Yet, the article insists that the Russians got them, and originally included a claim that supposedly ties the documents to Snowden in Moscow:

It is not clear whether Russia and China stole Snowden’s data, or whether he voluntarily handed over his secret documents in order to remain at liberty in Hong Kong and Moscow.

David Miranda, the boyfriend of the Guardian journalist Glenn Greenwald, was seized at Heathrow in 2013 in possession of 58,000 “highly classified” intelligence documents after visiting Snowden in Moscow.

During the ensuing court hearing Oliver Robbins, then deputy national security adviser in the Cabinet Office, said that the release of the information “would do serious damage to UK national security, and ultimately put lives at risk”.

Except, that middle paragraph is simply factually incorrect -- as basically any report on the original detention would have made clear. Miranda had been in Berlin with Laura Poitras, and not in Moscow with Snowden. After this rather important factual error was pointed out repeatedly... the Sunday Times simply deleted it with no retraction or correction. Down the memory hole. Well, except if you have the paper copy:

Considering that that point is sort of a key string in the narrative of putting the documents in Russia -- the fact that it is flat out false (despite the easy fact checking) should call into question the rest of the story. But there are even more problems with it the deeper you dig. Craig Murray, a former ambassador and diplomat for the UK has written the best explanation saying that the story "is a lie." He highlights five very serious problems with the story, starting with the fact that the terminology is wrong. In the article, the anonymous government official is quoted as follows:

A senior Downing Street source said: “It is the case that Russians and Chinese have information. It has meant agents have had to be moved and that knowledge of how we operate has stopped us getting vital information."

Except, as Murray notes, no actual government source who was familiar with these things would mistake an "agent" for an "officer."

Yet the schoolboy mistake is made of confusing officers and agents. MI6 is staffed by officers. Their informants are agents. In real life, James Bond would not be a secret agent. He would be an MI6 officer. Those whose knowledge comes from fiction frequently confuse the two. Nobody really working with the intelligence services would do so, as the Sunday Times source does. The story is a lie.

He also dismisses the "blood on his hands" money quote given in the article. That line was directed at Snowden -- though, it was almost immediately undercut within the same exact article by someone noting "there is no evidence of anyone being harmed." It's almost as if no one actually bothered to think through the propaganda message. Murray points out that the idea that any officers would be in danger is hogwash. Beyond the fact that the Russian and Chinese don't kill western spies (they just kick them out of the country), there's the simple fact that such info would never be in the documents Snowden had:

Rule No.1 in both the CIA and MI6 is that agents’ identities are never, ever written down, neither their names nor a description that would allow them to be identified.

This same point is further confirmed by Ryan Gallagher, one of the journalists who does have access to the Snowden files and says that there is no such information in them.

This was a surprise to me because I've reviewed the Snowden documents and I've never seen anything in there naming active MI6 agents. Were the agents pulled out as a precautionary measure? Keeping in mind that the UK government does not actually know exactly what Snowden leaked, how do these officials know there were documents in there that implicated MI6 operatives and live operations in the first place?

Murray further notes that the Russians are already pretty sure they know who the UK's spies are (and vice versa) and even if they were revealed in the documents, which he doesn't think is true, there'd be no reason to remove anyone anyway.

The Sunday Times piece further repeats the long repudiated claim that Snowden's cache included 1.7 million documents -- a number that even the NSA now admits was bunk and based solely on the number of documents he "touched," not those Snowden actually took.

Then there's this point, raised by security professor Matthew Green: If the intelligence agencies really believed that Snowden was carrying such damaging documents on his person, why would they strand him in Moscow by pulling his passport? Another potential problem: at one point, the article implies that Snowden may have handed the documents over as part of a "deal" with the Russian or Chinese, but in another part of the article, it discusses how the Russians and Chinese cracked the encryption on the stash. So which is it? Did he hand them over, or were they encrypted?

The whole thing is such a shoddy piece of propaganda that it seems almost hilarious... and would be if actual serious news sites weren't repeating the claims, often with little question. The BBC was quick to put up a piece repeating the claims -- though it has since added a few dissenting viewpoints. Many other UK tabloids have more or less repeated the claims. The only paper that seems to be strongly pushing back is The Guardian (which published the first Snowden revelation and many later ones as well). It has been raising lots of questions about the original reporting, demanding answers from the UK government about the claims and actually willing to call out the report as "low on facts, high on assertions."

Is it possible that others have access to these documents? Sure. Of course, the world itself has seen many of them, thanks to reporters revealing them publicly (something Snowden himself never did).

Still, even back when Snowden was in Hong Kong, intelligence community defenders insisted it meant that China had the documents. And the second he was in Moscow, they insisted that Russia had them too. In this case, it honestly sounds like the naive reporters at the Sunday Times took that "speculation" and wrote an entire story about it, searching for quotes that would confirm the thesis, but not doing any actual journalistic activity. So they got their story, and it's now quite easy to poke it full of very large holes.

Of course the timing on this is even more suspect. It comes out just as a report was published in the UK that slammed some aspects of government surveillance, and it seems noteworthy that right before this, there was a sudden upsurge in ridiculous and slightly unhinged fear mongering about Snowden himself -- none of which comes with any actual evidence, only angry speculation. It's almost as if governments pushing for greater surveillance powers might mount a coordinated propaganda campaign to smear the one guy who has been exposing their bullshit.

from the because-that's-how-this-works dept

Over a decade ago, I pointed out that every single time there were reports of big "data leaks" via hacking, a few weeks after the initial report, we would find out that the leak was even worse than originally reported. That maxim has held true over and over again. And, here we go again. Last week, we noted that the US government's Office of Personnel Management had been hacked, likely by Chinese hackers. And, now, it has come out that the hack was (you guessed it) much worse than originally reported.

The President of the union that represents federal government workers, the American Federation of Government Employees (AFGE) sent a letter to the director of the OPM, claiming that the hackers got away with the Central Personnel Data File, which includes full information on just about everything about that employee -- including (get this) unencrypted social security numbers.

Based on the sketchy information OPM has provided, we believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, ever federal retiree, and up to one million former federal employees. We believe that hackers have every affected person's Social Security number(s), military records and veterans' status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; age, gender, race, union status, and more.

Oh, and then there's this:

Worst, we believe that Social Security numbers were not encrypted, a cybersecurity failure that is absolutely indefensible and outrageous.

The letter further points out -- as we did last week -- that the 18 months of credit monitoring the government has offered everyone is a complete joke. It's unlikely that the hackers are looking to do identity fraud for financial gain -- and quite likely this is for espionage purposes.

But, let's go back to the Social Security numbers being unencrypted for a second. Remember, this hack is alreadybeing used by intelligence system defenders to argue for why we need stronger "cybersecurity" laws that will give the NSA and FBI much greater access to Americans' data.

Both of these organizations strongly support "cybersecurity" legislation, claiming that it's necessary so that the US government can "help" companies dealing with "critical infrastructure." And yet, here we are, with the government's own personnel files being held in a system without encryption that was hacked and copied by (likely) foreign hackers. And we're supposed to trust two government agencies who have been going around cursing encryption, that we should give them more access to "protect us" when another government agency's attack likely could have been prevented if they'd just used encryption?

As plenty of cybersecurity experts will tell you, the problem in the security realm is not "information sharing." It's people doing stupid things in how they setup their systems. Not encrypting the employee files for every government employee seems to fit into that category. Perhaps, rather than focusing on bogus "cybersecurity" legislation to give more power to the idiots shouting against encryption, we should have the government focus on getting its own house in order, including encrypting employee data.

from the snake-eats-itself dept

It's been two years since the very first news report in the Guardian based on documents provided by Ed Snowden. The NY Times (and other newspapers around the globe in varying languages) has published an op-ed by Snowden himself that gives a nice summary of how much has happened in the past two years, with real pushback finally starting to appear. As Snowden says:

The balance of power is beginning to shift. We are witnessing the emergence of a post-terror generation, one that rejects a worldview defined by a singular tragedy. For the first time since the attacks of Sept. 11, 2001, we see the outline of a politics that turns away from reaction and fear in favor of resilience and reason. With each court victory, with every change in the law, we demonstrate facts are more convincing than fear. As a society, we rediscover that the value of a right is not in what it hides, but in what it protects.

As you may recall, late in 2013, a talking point emerged that Snowden had made off with 1.7 million documents -- many of which included military secrets. The number had changed a bunch. The first claim was 60,000 documents. Then 200,000. When 60 Minutes did an NSA puff piece in December of that year it had ballooned to 1.5 million documents. A few days later, politicians seemed to settle on 1.7 million documents -- even as Glenn Greenwald (who actually had the documents) pointed out that it wasn't even close to true.

As we, and many others, pointed out around then, the 1.7 million claim appeared to come based on faulty assumptions, with the big one being that he copied every document from every network he ever scanned. A few months later, after all the fuss died down, James Clapper finally admitted that the 1.7 million number was hogwash -- but, by then, most of the press had moved on.

As Leopold's reporting has turned up, however, Congressional Snowden-haters were really, really eager to use this claim of 1.7 million documents to "shift the story" on Snowden. They had received that number as a talking point in a DIA briefing and wanted to make use of it:

"Members from both sides (Reps. Richard Nugent, Austin Scott, Henry "Hank" Johnson, Jr. and Susan Davis) repeatedly pressed the [DIA] briefers for information from the [Snowden damage] report to be made releasable to the public," states a February 6, 2014 DIA summary prepared for then-DIA director Lieutenant General Michael Flynn and deputy director David Shedd about a briefing on the Snowden leaks for members of the House Armed Services Subcommittee on Emerging Threats and Capabilities.

"[Redacted] explained the restrictions were to [redacted] but the members appeared unmoved by this argument. Overall, HASC [House Armed Services Committee] members were both appreciative of the report and expressed repeatedly that this information needed to be shared with the American public."

Of course, that didn't stop Congress critters from leaking the data anyway:

On December 18, the Washington Post's Walter Pincus published a column, citing anonymous sources, that contained details from the Snowden damage assessment. Three days earlier, 60 Minutes had broadcast a report that was widely condemned as overly sympathetic to the NSA. Foreign Policy and Bloomberg published news stories on January 9, 2014, three days after the damage assessment report was turned over to six congressional oversight committees. Both of those reports quoted a statement from Republican congressional leaders who cited the DIA's classified damage assessment report and asserted that Snowden's leaks endangered the lives of US military personnel.

Most of those came before the DIA released the number as an unclassified "talking point."

And the documents also reveal that Congress seemed pretty focused on figuring out ways to "change the narrative" on Snowden, rather than actually assessing what Snowden took -- and, apparently felt they could decide on their own which information in the briefing was classified and what was unclassified, so long as it served their own narrative:

During one classified briefing the damage assessment task force officials held for members of the House Intelligence Committee on Intelligence, lawmakers asked why Snowden, "who claims publicly to be seeking to reform NSA… acquired so many DoD files unrelated to NSA activities."

"[Redacted] explained that [Snowden] appeared to have acquired all files he could reach" was the answer. House Intelligence Committee chairman Mike Rogers and Congressman Adam Schiff "raised the issue that most documents were DoD related — which [redacted] confirmed — and both the congressmen stated they believed this simple fact was both unclassified… and was important for changing the narrative" about Snowden, states an undated summary of the House Intelligence Committee briefing the DIA prepared for Flynn and Shedd.

And, thus, it appears many in Congress had no problem potentially leaking classified information to attack Snowden as a "traitor" for leaking classified information, even though the claims about what he leaked were not, in fact, true.

from the fanciful-geopolitics dept

The TPP saga is entering a critical phase. After the excitement of the initial rejection of Trade Promotion Authority (TPA -- "fast track") in the Senate, followed by the vote in its favor shortly afterwards, attention is now focused on the House, where the outcome is still in doubt. Meanwhile, Australian politicians have finally been granted access to the negotiating text -- but under humiliating conditions, as The Guardian reports:

They were told they could view the current TPP negotiating text on Tuesday "subject to certain confidentiality requirements" and were shown a document they would be required to sign before any viewing.

I will not divulge any of the text or information obtained in the briefing to any party.

I will not copy, transcribe or remove the negotiating text.

The following condition is interesting:

I therefore agree that these confidentiality requirements shall apply for four years after entry into force of the TPP, or if no agreement enters into force, for four years after the last round of negotiations.

This confirms what Techdirt wrote back in 2011: that aside from the final agreement, all the other negotiating texts will be kept secret for four years after the conclusion of the talks. And yet, bad as the Australian deal is, it's more than the public gets when it comes to accessing the text being negotiated in its name. Fortunately, we have WikiLeaks, which has already published three chapters of TPP, and now hopes to leak the rest:

Today WikiLeaks has launched a campaign to crowd-source a $100,000 reward for America’s Most Wanted Secret: the Trans-Pacific Partnership Agreement (TPP).

The most influential, by Peter Petri, Michael Plummer and Fan Zhai, for the East-West Centre, a research institute, forecasts that the deal would raise the GDP of the 12 signatories by $285 billion, or 0.9%, by 2025. It is their numbers that America's government cites when it says TPP will make the country $77 billion richer.

But other researchers predict far more modest gains from TPP:

[The researchers Ciuriak and Xiao] calculate that TPP will raise the GDP of the 12 countries by just $74 billion by 2035, a mere 0.21% higher than baseline forecasts. Others see an even smaller impact. In a paper for the Asian Development Bank Institute, Inkyo Cheong forecasts that America's GDP will be entirely unchanged by TPP.

Given those small, perhaps non-existent, economic benefits, it's perhaps not surprising that US proponents of TPP have shifted their emphasis, claiming that TPP is not so much about economics, as about geopolitical influence -- President Obama's famous "pivot to Asia." A perceptive analysis in the Boston Globe explains why that makes no sense:

The administration's geopolitical case for TPP is fanciful. In the real world, there is no way that new rules for trans-Pacific trade, written without regard to China and without Chinese participation, will somehow pivot the United States into a lasting position of supremacy in China’s backyard.

Four basic facts explain why that is so: First, China is now everybody's biggest trading partner, including America's prospective partners in TPP. Second, the Chinese market represents the major growth opportunity for all these nations.

Third, whatever their concerns about China's increasing military power, Asian leaders have no interest in distancing themselves economically from China -- or from the supply chains that converge there. Fourth, most economists expect China's economic growth will continue to be much faster than that of the United States.

That means that as well as offering the US marginal economic benefits at best, TPP might also damage its chances of engaging meaningfully with China. Sadly, it's probably too much to hope that US politicians will pay much attention to either point once the next round of Congressional haggling over TPA starts again.

The IRS announced today that criminals used taxpayer-specific data acquired from non-IRS sources to gain unauthorized access to information on approximately 100,000 tax accounts through IRS’ “Get Transcript” application. This data included Social Security information, date of birth and street address.

These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer.

The IRS is reassuring Americans that its "core systems" remain secure, something of little comfort to the 100,000 taxpayers who will be receiving mea culpa letters (and free credit monitoring) from the agency over the next few weeks. What the IRS considers to be adequate protection is apparently not nearly adequate enough. Once the data is out there, verification information can be used to gain access to credit cards, bank accounts or anywhere else the same sort of canned questions are presented during the signup process. The 50% success rate suggests unique personally-identifiable information isn't necessarily all that unique.

In all, about 200,000 attempts were made from questionable email domains, with more than 100,000 of those attempts successfully clearing authentication hurdles.

The IRS is quick to add that 23 million records were "safely" downloaded during this same time period, which isn't really the comforting statement it means it to be. All this means is that millions of downloads weren't linked to "questionable" email domains. That's not the same thing as 23 million downloads going to the actual owners of that information.

The IRS is vowing to "strengthen its protocols" going forward. This is the only response it can offer, unfortunately. Stronger processes are needed, but additional steps and more obscure verification questions will manifest themselves as hurdles a certain percentage of taxpayers won't be willing to leap for online IRS access. Going paperless won't seem nearly as advantageous, not when a motherlode of financial information can be pulled out of the ether by cybercrooks armed with the fruits of years of financial breaches, both public and private.